Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to sandbox a command line tool?

I've a simple unix tool made by me that launches the main cocoa app from a shell.

I need to sandbox it but when I run it, it crashes with error "Illegal instruction: 4", on console.app I can see the following error message

Sandbox creation failed: Container object initialization failed: NIL container info object with no error description for visdiff

The file is correctly signed with codesign.

I've read the post Mac OS app, sandbox with command line tool? but it doesn't help

like image 434
dafi Avatar asked Oct 18 '12 17:10

dafi


3 Answers

I was having this exact problem, and it went away when I added an embedded Info.plist.

Try these clang flags (assuming you have info.plist in the build directory):

-Xlinker -sectcreate -Xlinker __TEXT -Xlinker __info_plist -Xlinker info.plist

like image 140
Nick Moore Avatar answered Dec 01 '22 07:12

Nick Moore


While @Nick Moore's answer is perfectly fine, there's an option for this in today's Xcode under Packaging - Create Info.plist Section in Binary (CREATE_INFOPLIST_SECTION_IN_BINARY). All that's needed is setting thue to Yes.

like image 40
Charlie Monroe Avatar answered Dec 01 '22 06:12

Charlie Monroe


Is the console application launched directly from console or is it called from a main sandboxed application? I received a similar error when trying to sandbox some binaries and I was just able to make it work by using only the below entitlements:

<dict>                                                                                                                                                                       
  <key>com.apple.security.app-sandbox</key>                                                                                                                                  
  <true/>                                                                                                                                                                    
  <key>com.apple.security.inherit</key>                                                                                                                                      
  <true/>                                                                                                                                                                    
</dict> 

Of course, after that you can only call the binary from a parent process that is already sandboxed (that is why I asked how your binary was called :)).

like image 33
ryotakatsuki Avatar answered Dec 01 '22 06:12

ryotakatsuki